Verifiable Functional Encryption

In light of security challenges that have emerged in a world with complex networks and cloud computing, the notion of functional encryption has recently emerged. In this work, we show that in several applications of functional encryption even those cited in the earliest works on functional encryption, the formal notion of functional encryption is actually not sufficient to guarantee security. This is essentially because the case of a malicious authority and/or encryptor is not considered. To address this concern, we put forth the concept of verifiable functional encryption, which captures the basic requirement of output correctness: even if the ciphertext is maliciously generated and even if the setup and key generation is malicious, the decryptor is still guaranteed a meaningful notion of correctness which we show is crucial in several applications. We formalize the notion of verifiable function encryption and, following prior work in the area, put forth a simulation-based and an indistinguishability-based notion of security. We show that simulation-based verifiable functional encryption is unconditionally impossible even in the most basic setting where there may only be a single key and a single ciphertext. We then give general positive results for the indistinguishability setting: a general compiler from any functional encryption scheme into a verifiable functional encryption scheme with the only additional assumption being the Decision Linear Assumption over Bilinear Groups DLIN. We also give a generic compiler in the secret-key setting for functional encryption which maintains both message privacy and function privacy. Our positive results are general and also apply to other simpler settings such as Identity-Based Encryption, Attribute-Based Encryption and Predicate Encryption. We also give an application of verifiable functional encryption to the recently introduced primitive of functional commitments. Finally, in the context of indistinguishability obfuscation, there is a fundamental question of whether the correct program was obfuscated. In particular, the recipient of the obfuscated program needs a guarantee that the program indeed does what it was intended to do. This question turns out to be closely related to verifiable functional encryption. We initiate the study of verifiable obfuscation with a formal definition and construction of verifiable indistinguishability obfuscation.

[1]  Tatsuaki Okamoto,et al.  Fully Secure Functional Encryption with General Relations from the Decisional Linear Assumption , 2010, IACR Cryptol. ePrint Arch..

[2]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[3]  Nir Bitansky,et al.  Indistinguishability Obfuscation from Functional Encryption , 2018, J. ACM.

[4]  Amit Sahai,et al.  Multi-Input Functional Encryption , 2014, IACR Cryptol. ePrint Arch..

[5]  Craig Gentry,et al.  Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE and Compact Garbled Circuits , 2014, EUROCRYPT.

[6]  Vinod Vaikuntanathan,et al.  Predicate Encryption for Circuits from LWE , 2015, CRYPTO.

[7]  Rafail Ostrovsky,et al.  Non-interactive Zaps and New Techniques for NIZK , 2006, CRYPTO.

[8]  Jonathan Katz,et al.  Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products , 2008, Journal of Cryptology.

[9]  Vipul Goyal,et al.  Multi-input Functional Encryption with Unbounded-Message Security , 2015, ASIACRYPT.

[10]  Adam O'Neill,et al.  Definitional Issues in Functional Encryption , 2010, IACR Cryptol. ePrint Arch..

[11]  Vipul Goyal,et al.  Reducing Trust in the PKG in Identity Based Cryptosystems , 2007, CRYPTO.

[12]  Katsuyuki Takashima,et al.  Expressive Attribute-Based Encryption with Constant-Size Ciphertexts from the Decisional Linear Assumption , 2020, SCN.

[13]  Manuel Barbosa,et al.  Delegatable Homomorphic Encryption with Applications to Secure Outsourcing of Computation , 2012, CT-RSA.

[14]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[15]  Vinod Vaikuntanathan,et al.  Attribute-based encryption for circuits , 2013, STOC '13.

[16]  Amit Sahai,et al.  Worry-free encryption: functional encryption with public keys , 2010, CCS '10.

[17]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[18]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[19]  Vinod Vaikuntanathan,et al.  Functional Encryption: New Perspectives and Lower Bounds , 2013, IACR Cryptol. ePrint Arch..

[20]  Brent Waters,et al.  Black-box accountable authority identity-based encryption , 2008, CCS.

[21]  Brent Waters,et al.  Functional Encryption: Definitions and Challenges , 2011, TCC.

[22]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[23]  Yael Tauman Kalai,et al.  Reusable garbled circuits and succinct functional encryption , 2013, STOC '13.

[24]  Elaine Shi,et al.  Predicate Privacy in Encryption Systems , 2009, IACR Cryptol. ePrint Arch..

[25]  Amit Sahai,et al.  Multi-input Functional Encryption for Unbounded Arity Functions , 2015, ASIACRYPT.

[26]  Abhishek Jain,et al.  Indistinguishability Obfuscation from Compact Functional Encryption , 2015, CRYPTO.

[27]  Amit Sahai,et al.  A note on VRFs from Verifiable Functional Encryption , 2017, IACR Cryptol. ePrint Arch..

[28]  Salil P. Vadhan,et al.  Derandomization in Cryptography , 2007, SIAM J. Comput..

[29]  Hoeteck Wee,et al.  Multi-input Inner-Product Functional Encryption from Pairings , 2017, EUROCRYPT.

[30]  Moti Yung,et al.  Functional Commitment Schemes: From Polynomial Commitments to Pairing-Based Accumulators from Simple Assumptions , 2016, ICALP.

[31]  Amit Sahai,et al.  Function Private Functional Encryption and Property Preserving Encryption : New Definitions and Positive Results , 2013, IACR Cryptol. ePrint Arch..

[32]  Amit Sahai,et al.  Achieving Compactness Generically: Indistinguishability Obfuscation from Non-Compact Functional Encryption , 2015, IACR Cryptol. ePrint Arch..

[33]  Vinod Vaikuntanathan,et al.  Functional Encryption with Bounded Collusions via Multi-party Computation , 2012, CRYPTO.

[34]  Nir Bitansky,et al.  ZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation , 2015, TCC.

[35]  Parampalli Udaya,et al.  E cient Identity-based Signcryption without Random Oracles , 2012, AISC.

[36]  Amit Sahai,et al.  Fully Secure Accountable-Authority Identity-Based Encryption , 2011, Public Key Cryptography.